Linux Permissions

rwx

Permissions

At a basic level, permissions in Linux are a relationship between users, groups, files, and directories. Users can belong to multiple groups and groups can have multiple users. Every file and directory defines its permissions in terms of a user, a group, and "others" (all other users).

Users

User accounts are configured in the /etc/passwd file. User password hashes are stored in the /etc/shadow file. Users are identified by an integer user ID (UID). The "root" user account is a special type of account in Linux. It has an UID of 0, and the system grants this user access to every file.

Groups

Groups are configured in the /etc/group file. Users have a primary group, and can have multiple secondary (or supplementary) groups. By default, an user's primary group has the same name as their user account.

Files and Directories

All files & directories have a single owner and a group. Permissions are defined in terms of read, write, and execute operations. There are three sets of permissions, one for the owner, one for the group, and one for all "other" users (can also be referred to as "world"). Only the owner can change permissions.

File Permissions

File permissions are self explanatory:

Read
- When set, the file contents can be read.
Write
- When set, the file contents can be modified.
Execute
- When set, the file can be executed (i.e. run as some kind of process).

Directory Permissions

Directory permissions are slightly more complicated:

Execute
- When set, the directory can be entered. Without this permission, neither the read nor write permissions will work.
Read
- When set, the directory contents can be listed.
Write
- When set, files and subdirectories can be created in the directory.

Special Permissions

Setuid (SUID) bit
- When set, files will get executed with the privileges of the file owner.
Setgid (SGID) bit
- When set on a file, the file will get executed with the privileges of the file group.
- When set on a directory, files created within that directory will inherit the group of the directory itself.

Viewing Permissions

The ls command can be used to view permissions:

The first 10 characters indicate the permissions set on the file or directory. The first character simply indicates the type (e.g. - for file, d for directory). The remaining 9 characters represent the 3 sets of permissions (owner, group, others). Each set contains 3 characters, indicating the read (r), write (w), and execute (x) permissions. SUID/SGID permissions are represented by an s in the execute position.

Real, Effective, and Saved UID/GID

Each user has 3 user IDs in Linux (real, effective, and saved).

A user's real ID is who they actually are (the ID defined in /etc/passwd). Ironically, the real ID is actually used less often to check a user's identity.

A user's effective ID is normally equal to their real ID, however when executing a process as another user, the effective ID is set to that user's real ID. The effective ID is used in most access control decisions to verify a user, and commands such as whoami use the effective ID.

Finally, the saved ID is used to ensure that SUID processes can temporarily switch a user's effective ID back to their real ID and back again without losing track of the original effective ID.

Examples

Print real and effective user/group IDs:

Print real, effective, saved, and file system user/group IDs of the current process (i.e. our shell):

PreviousLinux Privilege Escalation NextManual Enumeration

Last updated 3 years ago

Was this helpful?